Tech

How to Protect Yourself From the Heartbleed Bug

An encryption flaw called the Heartbleed bug that has exposed a collection of popular websites — from Airbnb and Yahoo to NASA and OKCupid — could be one of the biggest security threats the Internet has ever seen. If you have logged into any of the affected sites over the past two years, your account information could be compromised, allowing cybercriminals to snap up your credit card information or steal your passwords.

You're likely affected either directly or indirectly by the bug, which was found by a member of Google's security team and a software firm named Codenomicon. The bad news: There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action (see below).

The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data. The good news: There isn't any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem.

But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug, or if your account information was compromised.

Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. That patch should also include reissuing any digital certificates that might be vulnerable. However, if the site or service hasn't patched the flaw yet, there's no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.

A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren't logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.

It's important to wait to get the "all clear" sign from a company or service before changing, especially now that this bug is out in the open. Changing a password before the bug is fully patched wont' make things any better.

Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch, as did Google.

Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai.

Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.

"It's a big deal for Internet users, especially when it comes to protecting financial information," Joe Siegrist, CEO and cofounder of LastPass, told Mashable. "Some financial organizations are using more conservative web security choices like Microsoft, which is not vulnerable to the bug, so users should check and see if their bank has been affected."

Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.

What's Hot

More in Tech

What's New

What's Rising

What's Hot

Mashable
is a leading global media company that informs, inspires and entertains the digital generation. Mashable is redefining storytelling by documenting and shaping the digital revolution in a new voice, new formats and cutting-edge technologies to a uniquely dedicated audience of 42 million monthly unique visitors and 24 million social followers.